Update DMARC-how-to.md

This commit is contained in:
Dennis Baaten 2019-09-23 18:55:18 +02:00 committed by GitHub
parent c9ba775ece
commit 65dc1e2325
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -24,18 +24,16 @@ DMARC addresses this problem and enables the owner of a domain to take explicit
* There is a workaround: Forward the appointment as an "iCalendar file" or as an attachment. * There is a workaround: Forward the appointment as an "iCalendar file" or as an attachment.
# Creating a DMARC record # Creating a DMARC record
The DMARC policy is published by means of a DNS TXT record. The DMARC policy is published by means of a DNS TXT record. Before setting up a DMARC record, lets first take a look at all the configuration tags that can be configured within a DMARC record.
Overview
rua: aggregate reports ## Overview of DMARC configuration tag
ruf: forensic reports
| DMARC configuration tag | Required? | Value(s) | Explanation | | DMARC configuration tag | Required? | Value(s) | Explanation |
| --- | --- | --- | --- | | --- | --- | --- | --- |
| v | mandatory | DMARC1; | | | v | mandatory | DMARC1; | |
| p | mandatory | none<br>quarantine<br>reject | None: don't do anything if DMARC verification fails (used for testing)<br>quarantine: treat mail that fails DMARC check as suspicious<br>reject: reject mail that fail DMARC check | | p | mandatory | none<br>quarantine<br>reject | None: don't do anything if DMARC verification fails (used for testing)<br>quarantine: treat mail that fails DMARC check as suspicious<br>reject: reject mail that fail DMARC check |
| rua | optional | rua@example.nl | This field contains the email address used to send aggregate reports to | | rua | optional | rua@example.nl | This field contains the email address used to send **aggregate** reports to |
| ruf | optional |ruf@example.nl | This field contains the email address used to send forensic reports to | | ruf | optional |ruf@example.nl | This field contains the email address used to send **forensic** reports to |
| fo | mandatory | <br>0<br>1<br>s<br>d | Reporting options for failure reports. Generates a report if:<br>- both SPF and DKIM tests fail (0)<br>- either SPF or DKIM test fail (1)<br>- SPF test fails (s)<br>- DKIM test fails (d) | | fo | mandatory | <br>0<br>1<br>s<br>d | Reporting options for failure reports. Generates a report if:<br>- both SPF and DKIM tests fail (0)<br>- either SPF or DKIM test fail (1)<br>- SPF test fails (s)<br>- DKIM test fails (d) |
| adkim | optional | s<br>r | Controls how strict the result of DKIM verification should be intepreted. Strict or relaxed. | | adkim | optional | s<br>r | Controls how strict the result of DKIM verification should be intepreted. Strict or relaxed. |
| aspf | optional | s<br>r | Controls how strict the result of SPF verification should be intepreted. Strict or relaxed. | | aspf | optional | s<br>r | Controls how strict the result of SPF verification should be intepreted. Strict or relaxed. |
@ -46,6 +44,11 @@ ruf: forensic reports
Be aware that implementing a DMARC record without a rua configuration is possible, this is not advised because the DMARC XML files that are received by implementing a rua email address can help with implementing DKIM or SPF to meet the DMARC requirements. Be aware that implementing a DMARC record without a rua configuration is possible, this is not advised because the DMARC XML files that are received by implementing a rua email address can help with implementing DKIM or SPF to meet the DMARC requirements.
## Setting up a DMARC record
Depending on your preferences and needs, you can determine the value of the configuration tags. The values below seem like a good starting point when setting up
_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.nl; ruf=mailto:dmarc@example.nl; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; sp=quarantine"
# Implementing DMARC with OpenDMARC for Postfix with SpamAssassin # Implementing DMARC with OpenDMARC for Postfix with SpamAssassin
**Specifics for this setup** **Specifics for this setup**
* Linux Debian 9.8 (Stretch) * Linux Debian 9.8 (Stretch)
@ -135,6 +138,25 @@ and run it every day under the user opendmarc by adding the following to **/etc/
1 0 * * * opendmarc /etc/opendmarc/report_script 1 0 * * * opendmarc /etc/opendmarc/report_script
### Configuring SpamAssassin
SpamAssassin uses a scoring mechanism in order to determine if an e-mail should be considered spam. By default SpamAssassin considers an e-mail to be spam if the score at least "5". An e-mail starts with a score of 0 and points are added based on the [tests](https://spamassassin.apache.org/old/tests_3_3_x.html) performed. The tests performed can be configured by adding specific [configuration parameters](https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html) in **/etc/spamassassin/local.cf**.
Now here's the tricky part. The points added to the score of an incoming e-mail based on the results of a specific test, is at its core a custom job. Many variables can be taken into consideration when scoring an e-mail (which is considered the strength of a post-SMTP spam filter) and the detailed scoring depends on a domain owner's specific wishes. For the sake of this how-to, the DMARC scoring will be based on the assumption that the domain owner wants to consider an e-mail to be spam if the sending e-mail server's DMARC validation did fail.
With SpamAssassin this can be configured by adding the following scoring configuration parameters to **/etc/spamassassin/local.cf**:
```
#dmarc fail
header CUST_DMARC_FAIL Authentication-Results =~ /mail\.example\.nl; dmarc=fail/
score CUST_DMARC_FAIL 5.0
#dmarc pass
header CUST_DMARC_PASS Authentication-Results =~ /mail\.example\.nl; dmarc=pass/
score CUST_DMARC_PASS -1.0
```
This means that when the "Authentication-Results" header of your e-mail contains "mail.example.nl; dmarc=fail" 5 points will be added to the score; instantly classifying this e-mail as SPAM. On the other hand, if the "Authentication-Results" header of your e-mail contains "mail.example.nl; dmarc=pass" -1 points will be added to the score; classifying this e-mail as legitimate.
# Special thanks # Special thanks
Our infinite gratitude goes out to the following people for their support in building this how-to for DANE. Our infinite gratitude goes out to the following people for their support in building this how-to for DANE.